- From: Philip Taylor <excors+whatwg@gmail.com>
- Date: Wed, 3 Jun 2009 08:36:10 +0100
On Wed, Jun 3, 2009 at 12:51 AM, Aryeh Gregor <Simetrical+w3c at gmail.com> wrote: > Sending a text/plain Content-Type will not prevent any > (default-configured) version of IE from interpreting the file as HTML, > even if it's the *only* Content-Type header sent. ?This is why Adam > Barth said "The only browser that uses the first header more or less > ignores it anyway." ?This apparently isn't fixed even in IE8: it > insists on still upsniffing text/plain to text/html unless you use the > nonstandard header "Content-Type: text/plain; authoritative=true;". http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx - it's "X-Content-Type-Options: nosniff" now (and is used a bit in practice - it's on about 0.1% of pages from http://www.dotnetdotcom.org/, though about half of them are owned by Google or Microsoft). -- Philip Taylor excors at gmail.com
Received on Wednesday, 3 June 2009 00:36:10 UTC